osu part 1
This commit is contained in:
parent
cebee13139
commit
d718e5ac65
@ -1,5 +1,5 @@
|
|||||||
diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system
|
diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system
|
||||||
index be37123f..57df7990 100644
|
index be37123f..6490e311 100644
|
||||||
--- a/apparmor.d/tunables/multiarch.d/system
|
--- a/apparmor.d/tunables/multiarch.d/system
|
||||||
+++ b/apparmor.d/tunables/multiarch.d/system
|
+++ b/apparmor.d/tunables/multiarch.d/system
|
||||||
@@ -106,8 +106,9 @@
|
@@ -106,8 +106,9 @@
|
||||||
@ -9,7 +9,7 @@ index be37123f..57df7990 100644
|
|||||||
-@{bin}=/{,usr/}{,s}bin
|
-@{bin}=/{,usr/}{,s}bin
|
||||||
-@{lib}=/{,usr/}lib{,exec,32,64}
|
-@{lib}=/{,usr/}lib{,exec,32,64}
|
||||||
+@{base_paths} = /nix/store/* /etc/profiles/per-user/* /run/current-system/sw
|
+@{base_paths} = /nix/store/* /etc/profiles/per-user/* /run/current-system/sw
|
||||||
+@{bin}=@{base_paths}/bin
|
+@{bin}=@{base_paths}/bin /{,usr/}{,s}bin
|
||||||
+@{lib}=@{base_paths}/lib
|
+@{lib}=@{base_paths}/lib
|
||||||
|
|
||||||
# Common places for temporary files
|
# Common places for temporary files
|
||||||
|
@ -24,6 +24,8 @@ in
|
|||||||
/nix/store/*/bin/** mr,
|
/nix/store/*/bin/** mr,
|
||||||
/nix/store/*/lib/** mr,
|
/nix/store/*/lib/** mr,
|
||||||
/nix/store/** r,
|
/nix/store/** r,
|
||||||
|
${getExe' pkgs.coreutils "coreutils"} rix,
|
||||||
|
${getExe' pkgs.coreutils-full "coreutils"} rix,
|
||||||
'';
|
'';
|
||||||
|
|
||||||
"local/speech-dispatcher" = ''
|
"local/speech-dispatcher" = ''
|
||||||
@ -34,11 +36,21 @@ in
|
|||||||
|
|
||||||
"local/pass" = ''
|
"local/pass" = ''
|
||||||
${getExe' pkgs.pass ".pass-wrapped"} rix,
|
${getExe' pkgs.pass ".pass-wrapped"} rix,
|
||||||
${getExe' pkgs.coreutils "coreutils"} rix,
|
'';
|
||||||
|
|
||||||
|
"local/pass_gpg" = ''
|
||||||
|
@{PROC}/@{pid}/fd/ r,
|
||||||
|
/nix/store/*/libexec/keyboxd ix,
|
||||||
|
owner /run/user/*/gnupg/S.keyboxd wr,
|
||||||
|
'';
|
||||||
|
|
||||||
|
"abstractions/app/udevadm.d/udevadm_is_exec" = ''
|
||||||
|
@{bin}/udevadm mrix,
|
||||||
'';
|
'';
|
||||||
|
|
||||||
"local/firefox" = ''
|
"local/firefox" = ''
|
||||||
${pkgs.passff-host}/share/** rPx -> passff,
|
${pkgs.passff-host}/share/** rPx -> passff,
|
||||||
|
@{HOME}/.mozilla/firefox/** mr,
|
||||||
'';
|
'';
|
||||||
|
|
||||||
"local/thunderbird" = ''
|
"local/thunderbird" = ''
|
||||||
@ -47,8 +59,12 @@ in
|
|||||||
'';
|
'';
|
||||||
|
|
||||||
"local/xdg-open" = ''
|
"local/xdg-open" = ''
|
||||||
${getExe' pkgs.coreutils "coreutils"} rix,
|
@{PROC}/version r,
|
||||||
/proc/version r,
|
'';
|
||||||
|
|
||||||
|
"local/xdg-mime" = ''
|
||||||
|
owner @{HOME}/@{XDG_CONFIG_DIR}/mimeapps* rwk,
|
||||||
|
@{PROC}/version r,
|
||||||
'';
|
'';
|
||||||
|
|
||||||
"local/vesktop" = ''
|
"local/vesktop" = ''
|
||||||
@ -60,9 +76,9 @@ in
|
|||||||
/etc/machine-id r,
|
/etc/machine-id r,
|
||||||
/dev/udmabuf rw,
|
/dev/udmabuf rw,
|
||||||
/dev/ r,
|
/dev/ r,
|
||||||
/sys/devices/@{pci}boot_vga r,
|
@{sys}/devices/@{pci}boot_vga r,
|
||||||
/sys/devices/@{pci}idVendor r,
|
@{sys}/devices/@{pci}idVendor r,
|
||||||
/sys/devices/@{pci}idProduct r,
|
@{sys}/devices/@{pci}idProduct r,
|
||||||
'');
|
'');
|
||||||
};
|
};
|
||||||
|
|
||||||
@ -79,7 +95,6 @@ in
|
|||||||
${getExe pkgs.pass} Px,
|
${getExe pkgs.pass} Px,
|
||||||
}
|
}
|
||||||
'';
|
'';
|
||||||
|
|
||||||
};
|
};
|
||||||
|
|
||||||
swaymux = {
|
swaymux = {
|
||||||
@ -95,6 +110,122 @@ in
|
|||||||
}
|
}
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
osu-lazer = {
|
||||||
|
enable = true;
|
||||||
|
enforce = true;
|
||||||
|
profile = ''
|
||||||
|
abi <abi/4.0>,
|
||||||
|
include <tunables/global>
|
||||||
|
profile osu-lazer @{bin}/osu\! flags=(attach_disconnected) {
|
||||||
|
include <abstractions/base> # read access to /nix/store, basic presets for most apps
|
||||||
|
|
||||||
|
# include <abstractions/audio-client>
|
||||||
|
include <abstractions/common/bwrap>
|
||||||
|
# include <abstractions/ssl_certs>
|
||||||
|
include <abstractions/devices-usb>
|
||||||
|
# include <abstractions/vulkan-strict>
|
||||||
|
# include <abstractions/mesa>
|
||||||
|
include <abstractions/nameservice-strict>
|
||||||
|
include <abstractions/app/udevadm>
|
||||||
|
# include <abstractions/desktop>
|
||||||
|
include <abstractions/app/bus>
|
||||||
|
include <abstractions/common/game>
|
||||||
|
|
||||||
|
network inet dgram,
|
||||||
|
network inet6 dgram,
|
||||||
|
network inet stream,
|
||||||
|
network inet6 stream,
|
||||||
|
network netlink raw,
|
||||||
|
|
||||||
|
owner @{PROC}/@{pid}/net/dev r,
|
||||||
|
owner @{PROC}/@{pid}/net/if_inet6 r,
|
||||||
|
owner @{PROC}/@{pid}/net/ipv6_route r,
|
||||||
|
owner @{PROC}/@{pid}/net/route r,
|
||||||
|
|
||||||
|
capability mknod,
|
||||||
|
|
||||||
|
/dev/tty{@{d},} rw,
|
||||||
|
|
||||||
|
${pkgs.osu-lazer-bin}/bin/osu? ix,
|
||||||
|
${getExe pkgs.bubblewrap} rix,
|
||||||
|
/nix/store/*-osu-lazer-bin-*-bwrap ix,
|
||||||
|
/nix/store/*-osu-lazer-bin-*-init ix,
|
||||||
|
/nix/store/*-osu-lazer-bin-*-extracted/** rk,
|
||||||
|
/nix/store/*-osu-lazer-bin-*-extracted/AppRun ix,
|
||||||
|
/nix/store/*-osu-lazer-bin-*-extracted/usr/bin/** ix,
|
||||||
|
|
||||||
|
@{bin}/ldconfig ix,
|
||||||
|
@{bin}/appimage-exec.sh ix,
|
||||||
|
@{bin}/rev ix,
|
||||||
|
@{bin}/bash ix,
|
||||||
|
@{bin}/grep ix,
|
||||||
|
@{bin}/lsblk ix,
|
||||||
|
@{bin}/awk ix,
|
||||||
|
@{bin}/gawk ix,
|
||||||
|
|
||||||
|
@{bin}/xdg-mime Px,
|
||||||
|
${getExe' pkgs.gamemode "gamemoderun"} ix,
|
||||||
|
|
||||||
|
owner @{HOME}/@{XDG_DATA_DIR}/osu/** rwkm,
|
||||||
|
owner @{HOME}/.dotnet/** rwkm,
|
||||||
|
owner @{HOME}/@{XDG_DATA_DIR}/Sentry/** rwk,
|
||||||
|
owner @{HOME}/@{XDG_CONFIG_DIR}/mimeapps* rwk,
|
||||||
|
owner @{HOME}/@{XDG_DATA_DIR}/applications/discord-*.desktop rwk,
|
||||||
|
|
||||||
|
/ r,
|
||||||
|
/nix/store/*-etc-os-release rk,
|
||||||
|
/nix/store/*/share/zoneinfo/** rk,
|
||||||
|
|
||||||
|
owner /tmp/** rwk,
|
||||||
|
/usr/lib/ r,
|
||||||
|
|
||||||
|
/var/cache/ldconfig/ rw,
|
||||||
|
owner /etc/ld.so* rw,
|
||||||
|
|
||||||
|
@{PROC}/@{pid}/stat rk,
|
||||||
|
@{PROC}/@{pid}/task/@{pid}/comm wr,
|
||||||
|
@{PROC}@{sys}/kernel/os{type,release} rk,
|
||||||
|
@{PROC}/version r,
|
||||||
|
@{PROC}/{sys,@{pid}}/net/** rk,
|
||||||
|
@{PROC}/@{pid}/maps rk,
|
||||||
|
|
||||||
|
/dev/snd/** rw,
|
||||||
|
/dev/input/ r,
|
||||||
|
/dev/dri/** wr,
|
||||||
|
/dev/input/** r,
|
||||||
|
/dev/udmabuf wr,
|
||||||
|
/dev/hidraw* rw,
|
||||||
|
|
||||||
|
/.host-etc/alsa/conf.d/{,**} r,
|
||||||
|
/.host-etc/ssl/certs/{,**} r,
|
||||||
|
/.host-etc/resolv.conf rk,
|
||||||
|
|
||||||
|
/run/udev/data/* r,
|
||||||
|
|
||||||
|
# @{sys}/devices/@{pci}device r,
|
||||||
|
# @{sys}/devices/@{pci}boot_vga r,
|
||||||
|
# @{sys}/devices/@{pci}subsystem_vendor r,
|
||||||
|
# @{sys}/devices/@{pci}subsystem_device r,
|
||||||
|
# @{sys}/devices/virtual/dmi/id/* r,
|
||||||
|
# @{sys}/devices/@{pci}uevent r,
|
||||||
|
# @{sys}/devices/virtual/sound/** r,
|
||||||
|
# @{sys}/devices/virtual/block/** r,
|
||||||
|
# @{sys}/block/ r,
|
||||||
|
# @{sys}/devices@{sys}tem/node/ r,
|
||||||
|
# @{sys}/fs/cgroup/{,**/} r,
|
||||||
|
# @{sys}/fs/cgroup/** r,
|
||||||
|
# @{sys}/devices/@{pci}sound/** r,
|
||||||
|
# @{sys}/devices/@{pci}vendor r,
|
||||||
|
# @{sys}/class/hidraw/ r,
|
||||||
|
# @{sys}/class/input/ r,
|
||||||
|
# @{sys}/class/input/{,**} r,
|
||||||
|
# @{sys}/devices/**/input/** r,
|
||||||
|
}
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
|
||||||
vesktop = {
|
vesktop = {
|
||||||
enable = true;
|
enable = true;
|
||||||
enforce = true;
|
enforce = true;
|
||||||
@ -172,6 +303,39 @@ in
|
|||||||
include "${apparmor-d}/etc/apparmor.d/profiles-m-r/pass"
|
include "${apparmor-d}/etc/apparmor.d/profiles-m-r/pass"
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
# gamemoded = {
|
||||||
|
# enable = true;
|
||||||
|
# enforce = true;
|
||||||
|
# profile = ''
|
||||||
|
# include "${apparmor-d}/etc/apparmor.d/profiles-g-l/gamemoded"
|
||||||
|
# '';
|
||||||
|
# };
|
||||||
|
|
||||||
|
pkexec = {
|
||||||
|
enable = false;
|
||||||
|
enforce = false;
|
||||||
|
# somehow this has conflicting imports and i have no clue how to fix it
|
||||||
|
profile = ''
|
||||||
|
include "${apparmor-d}/etc/apparmor.d/profiles-m-r/pkexec"
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
xdg-mime = {
|
||||||
|
enable = true;
|
||||||
|
enforce = false;
|
||||||
|
# somehow this has conflicting imports and i have no clue how to fix it
|
||||||
|
profile = ''
|
||||||
|
include "${apparmor-d}/etc/apparmor.d/groups/freedesktop/xdg-mime"
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
mimetype = {
|
||||||
|
enable = true;
|
||||||
|
enforce = false;
|
||||||
|
# somehow this has conflicting imports and i have no clue how to fix it
|
||||||
|
profile = ''
|
||||||
|
include "${apparmor-d}/etc/apparmor.d/profiles-m-r/mimetype"
|
||||||
|
'';
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user